Message Authentication

Message authentication allows you to verify whether an email originates from where it claims to come from. Sophos Email uses DMARC, SPF, and DKIM to do this.

Message authentication checks are performed in the order they appear in your Email Security policy. If an email fails the first message authentication, the other authentications aren't carried out. See How Message Authentication works.

For more information on the order in which authentications are carried out in different scenarios, see Sequence of Message Authentication.

We recommend setting each message authentication category to Quarantine.

You can override the message authentication by allowing domains and email addresses in the Inbound allow list.

For each message authentication, you can choose to send messages that fail to End User Quarantine.

Warning

If you're subscribed to Sophos EMS and it's set up behind your primary email security tool from a third-party provider, Sophos may receive modified emails. As a result, DKIM checks might fail, and DMARC alignment may not work correctly. A failed DKIM or DMARC check doesn't necessarily mean the email is a security risk.

Configure message authentication

To configure message authentication, do as follows:

In your Email Security policy, go to Settings > Inbound > Authentication.
Turn on the DMARC, SPF, and DKIM checks as needed.

Note

By default, the DMARC check is turned on, and Hard failure is set to Conform to sender policy.
Click Add Rule to set up failure types and choose the action for each check.

For details on available failure types and actions, see DMARC, SPF, and DKIM.

Adding other DMARC failure types may not be available for all customers yet.
Save the policy.

The new authentication settings apply to all inbound emails. Added conditions are checked from top to bottom, and the first match is applied.

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy and reporting protocol. It builds on the DKIM and SPF protocols to detect and prevent email spoofing. You can control what happens to messages that fail DMARC checks.

Hard failure: This failure occurs when a message fails DMARC because neither SPF nor DKIM passes with alignment. By default, this option is set to Conform to sender policy.

SPF alignment is checked for the domain in the header-from against the domain in the envelope-from. DKIM alignment is checked for the d=domain in the DKIM signature against the domain in the header-from.

You can also configure your Email Security policy to check for DMARC failure types.

The options below might not be available for all customers yet.

You can configure the following options:

p=none: This option allows you to take an action for DMARC failure when the sender's policy is set to none.

Note

It's useful to add this failure type only when the option Hard failure is set to Conform to sender policy. When you Conform to sender policy and the sender has set the policy to none (p=none), a failure action can't be performed if the DMARC check fails for the sender's message.
Unsupported: This failure occurs when no DMARC record exists for the sending domain. This failure type is relevant only to the gateway mode.
M365 bestguesspass: This failure type is relevant only to the M365 mailflow mode. For details of how M365 evaluates "bestguesspass", see the M365 documentation.
Temporary failure: This failure occurs when the DMARC record lookup on DNS (Domain Name Server) responds with Temporary Failure. This error may resolve itself without any intervention.
Permanent failure: This failure occurs when the domain's DMARC record returned by DNS lookup can't be correctly interpreted. This error may be resolved by the owner of the DNS record.

For each failure type, you can apply an action as follows:

Conform to sender policy: What happens to the message depends on what the sender stated in their DMARC policy. This is the default value.

Note

This action applies only to Hard failure.
Tag subject line: Sophos Email adds a tag to the message's subject line indicating that it's a spoofed message.
Quarantine: Message is quarantined.

Note

If you select Include In End User Quarantine, your users can check, release, or delete messages. See End User Quarantine.
Reject: Message is rejected.

Note

Raw headers aren't available for the rejected messages.
Deliver: Message is delivered to the next scanning layer.

SPF

Sender Policy Framework (SPF) allows you to verify that incoming email comes from an IP address authorized by the sending domain's administrators. Spam and phishing emails often use forged addresses.

Hard failure occurs when the sender's IP address isn't listed as an authorized sender. To ensure that only the authorized IP address can send emails, the sender must add -all in the SPF record. This option is the default SPF check for which you can configure the failure action.

You can also configure other SPF failure types, such as:

Soft failure: Occurs when the sender's IP address is probably not authorized. This could be because the domain owner hasn't set a more definitive restriction, which would result in a stronger "fail". To ensure that only the authorized IP address can send emails, but not definitively, the sender must add ~all in the SPF record.
Neutral: Occurs when the sender's domain explicitly states that it's not asserting whether the sender's IP address is authorized or not, by specifying ?all in the SPF record. In this case, emails from any sender IP address give a neutral result.
Unsupported: Occurs when the sender hasn't configured the SPF record.
Temporary failure: Occurs due to a temporary error, usually due to DNS, while performing the check. This error may resolve itself without any intervention from the DNS operator.
Permanent failure: Occurs when the domain's published records can't be correctly interpreted. This indicates an error that requires the DNS operator's intervention.

For each failure type, you can apply an action as follows:

Tag subject line: Sophos Email adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
Quarantine: Message is quarantined.

Note

If you select Include In End User Quarantine, your users can check, release, or delete messages. See End User Quarantine.
Reject: Message is rejected.

Note

Raw headers aren't available for the rejected messages.
Deliver: Message is delivered to the next stage.

DKIM

DomainKeys Identified Mail (DKIM) is an authentication framework used to sign and validate a message based on the domain of the sender. You can control what happens to messages that fail DKIM checks.

Hard failure occurs when DKIM is configured, the DKIM signature is in the email, and the DNS responds properly, but the DKIM check didn't pass. This option is the default DKIM check for which you can configure the failure action.

You can also configure other DKIM failure types, such as:

Unsupported: Occurs when the sender hasn't configured DKIM or the DKIM key published by the sender in the DNS record isn't valid.
Temporary failure: Occurs due to a temporary error, usually due to DNS, while performing the check. This error may resolve itself without any intervention from the DNS operator.
Permanent failure: Occurs when the domain's published records can't be correctly interpreted. This indicates an error that requires the DNS operator's intervention.

For each failure type, you can apply an action as follows:

Tag subject line: Sophos Email adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
Quarantine: Message is quarantined.

Note

If you select Include In End User Quarantine, your users can check, release, or delete messages. See End User Quarantine.
Reject: Message is rejected.

Note

Raw headers aren't available for the rejected messages.
Deliver: Message is delivered to the next stage.